The organizational data are the real assets of the present day organizations whether they deal with services or products. The organizational information can be the sales data or process data or any other important data. There are certain forces always trying to steal data from other organizations and inflict them as it happened to Google, Adobe, RSA, Lockheed Martin, PBS, and Sony. Those forces make use of Advance Persistent Threats (APTs) which access network and stay unnoticed for a long time being undetected, waiting for the right opportunity to steal data, like a skilful thief. The APTs can do irreparable damages to the target organizations even before the organizations know about it, as APTs target the weakest link in the system. Hence, there is a need for consistent efforts to combat APT to safeguard data for the continued effective functioning of the organizations.
How do Advance Persistent Threats (APTs) work
1. The APTs target individuals, specific organizations or the entire industry like banking or defense system of a country with an ulterior motive of stealing or manipulating data.
2. There are plenty of methods adopted by APTs to initially infect the system by foot-holding into the organizational data. Carelessly visiting an infected site, opening the attachment of a malicious email and plugging-in of an infected USB do happen throughout the world, even with complete awareness of the strategies of APT. The entry point in all the cases is only the initial system.
3. The affected system obeys and starts passing sensitive data as a slave to the command and control (C&C) server, as the infected system develops the connectivity to C&C.
4. The malware remains undetected and tries to spread to the other systems also. It looks for an opportunity to take advantage of vulnerabilities and uses hijacked credentials also to reach its objective.
An effective protection takes place because of in-depth defenses, as simple defenses fail since simple defenses are not that strong. There are plenty of capabilities of in-depth defenses protecting an entity from threats, let it be a contractor and staff vetting, efficient and effective access management, the definition of key information by departmentalizing it and so on. This includes other important functions like HR and physical security. The response teams of operations against fraud must involve sector-led intelligent reports and alerts. A strong single layer of fraud prevention is enough to stop determined attackers.
The defenses must be effectively working in three different areas.
- Defenses at the end point: At this level, browsing applications must be secured. The hardware and the transaction signing devices must function effectively.
- Defenses at the navigation layer: They must monitor the session navigation behaviour and it must be compared with normal patterns
- Linking layer: There has to be a relationship between internal and external entities to detect the misuse or any collusive criminal activity.
The signals that may combine into Advance Persistent Threats must be watched and correlated. The following signals must be taken into consideration:
- Any new error in general business applications notified by the intelligence reports
- Any unidentified call trying to access the email address of the key resource persons
- Any error or mistake in firewall system
- Any escalated traffic in a device
All these kinds of information will be significant to detect the APT determined to target the organization. The asset-specific security controls must be initiated to protect the assets of the organization. The perimeter specific security mentality must accept the technique of ‘every- component-ready’ situation.
As the perpetrators are well-organized, the detection of attacks has attained only limited success. The organizations must take steps to devise the solutions for prevention and detection of APTs to ensure the best protection of network. Any efficient detection technique will either protect the system entirely or, at least, minimize the damages.
The Specialized Threat Analysis and Protection (STAP) details three types of analysis to detect data breaches:
- Boundary Analysis: useful to protect very important and endangered files.
- Endpoint Analysis: useful to protect endpoint devices and systems.
- Internal Network Analysis: good at monitoring network flows.
The open source Security Information and Event Management System (SIEM) is specially designed to detect the Denial of Services (DOS) attack, launched through the remote desktop service. The DOS attackers deny the customers or stack-holders from accessing their own data.
Incident response of Advance Persistent Threats attack
Every organization must possess an incident response plan and provide an education to the individuals and the system, those remain vulnerable to attacks. The initial response phase is significant to prepare investigation phase and it should ensure a fitting response as any half-hearted approach will only alert the hackers. A holistic attack is what is desired and feasible as remedying sub-set is futile and ineffective. The root cause of every attack has to be analysed for addressing them in future if it recurs.
An effective Incident Response Plan must have the following components:
- Risk Assessment: An assessment of assets as well as data stores and the vulnerabilities of them with the maximum possible damage, in the case of an attack must take place.
- Security Assessment: The security measures to protect the assets and the assessment of required solution are to be undertaken.
- Organizational preparedness: The preparedness of the organization to face bravely any attack has to be checked from three perspectives such as identifying the vulnerable individuals, implementing suitable access control and training the employees suitably to thwart any eventuality of attack.
- Operational preparedness: A competent incident response team with the capabilities to face any attack any time, with due communication channel including the state law enforcement authorities and mock trials of attacks will indicate the preparedness.
- Detection technologies: The technologies that are to be used are to work in the relevant areas like malware detection, assessing the scope of attack, maintaining the history of third party attacks, studying unusual connection patterns and downloads and loss-prevention activities due to data breaches.
- Investigation and initial responses: These activities can take place from two perspectives;
- Internal stakeholder notification denoting the president, the board, the IT team and the CEO/ CTO.
- External Strategy notification: In the case of need must include law enforcement authorities, Regulatory bodies, and corporate relations.
- Containing and Countermeasures: Intrusion prevention methods, tools for cleaning the infected devices and finalizing the firewall rules must take place as significant measures.
The data like employee data that are vital for the organizations must be encrypted, as hackers do not spend much time on their mission. They target only vulnerable data, so if the data are heavily protected the chances of attack are less. The next generation security technologies must be used. The breach-prevention activities must be supported by adequate cyber security solutions.
Keywords: Advance Persistent Threats, APT, Strategies, Incident response, Cyber Security, Network Security, Malware, Defense-in-depth, Denial of Services, Security Technologies
Quadrant Knowledge Solutions Security Technology division continuously track the market for Security Technologies. Please visit our Market Research section for more information on available Market Outlook Research on Various Security Technologies.
About Quadrant Knowledge Solutions
Quadrant Knowledge Solutions is a global advisory and consulting firm focused on helping clients in achieving business transformation goals with Strategic Business, and Growth advisory services.
Our Strategic Business, and Growth Advisory services are organized specifically to help clients develop and validate strategies based on global mega trends, understand the business potential and untapped opportunities, and strategies for growth. Our Market Research service is designed to satisfy your entire market intelligence requirement for all of your products and services in one customized package. Our experts can map your entire offerings and suitably recommend your custom Market Research package.